More Related Content
Similar to OpenID Connect 4 SSI (at EIC 2021) (20)
OpenID Connect 4 SSI (at EIC 2021)
- 1. OpenID Connect for SSI Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes.com v.02
- 2. The power of Verifiable Credentials and SSI End-users directly receiving credentials from the issuers, and directly presenting credentials to the verifiers
- 3. The Problem Verifiable Credentials is only a data model… … How to transport Verifiable Credentials when implementing?
- 4. The Simple and Secure Solution: OpenID Connect for SSI Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials “OpenID Connect for SSI” spec family OIDC4SSI work is conducted in liaison between OpenID Foundation and DIF (Decentralized Identity Foundation)
- 5. - Provide the community with a solution for SSI applications leveraging the simplicity and security of OpenID Connect - Security of OpenID Connect has been test and formally analysed - Allow existing OpenID Connect RPs to access SSI credential Why extend OpenID Connect to support SSI?
- 6. ① Direct interaction between End-users and the verifiers (Self-Issued OP v2) (former DIF DID- SIOP) OpenID Connect for SSI Components Issuer (Website) Verifier (Website) Holder (Digital Wallet) Issue Credentials Present Credentials ② Transportation of Verifiable Credentials using OpenID Connect (OpenID Connect for Verifiable Presentations - OIDC4VP) ③ Issuance of Verifiable Credentials usingOpenIDConnect (Claims Aggregation)
- 7. What Each Specification Provides SIOP V2 • Proof of possession of signing keys • Self-Signed Claims • Supports on same- device and cross- device flows OIDC4VP • Presentation of verifiable credentials issued by trusted third parties • Can be used with SIOP v2 and "traditional" OpenID Connect Claims Aggregation • Unified approach for intermediaries (Identity Agents) to obtain claims and credentials from trusted third parties • Will support issuance of verifiable credentials
- 8. SIOP v2
- 9. 1. SIOP v2 OpenID Connect 3P Provider model (simplified) Self-Issued OP model ⓪ User tries to log in Website (RP) User Agent OP (3P OpenID Provider) Alice ① 3rd Party OP issues an ID Token ⓪ User tries to log in Website (RP) User Agent OP ① OP on the user device issues ID Token Alice Self-Issued OP is an OP within the End-user’s local control. SIOP enables End-users to interact with verifiers directly, without relying on a third-party provider or having to operate their own hosted infrastructure.
- 10. • Same-device User opens up a RP Website on the same device than where Self-Issued OP is also located • Cross-device User opens up a RP Website on a different device than where Self- Issued OP is also located Webs ite (RP) User Agent OP Same-device and Cross-device SIOP Website (RP) User Agent OP
- 11. SIOP request–response example SIOP Response – ID Token SIOP Request
- 12. OpenID Connect 4 Verifiable Presentations
- 13. • Works with all OpenID Connect Flows (SIOP v2, code, CIBA, …) • Request syntax uses "claims" parameter & DIF Presentation Exchange • Supports different credential/presentation formats: • encoded as JSON or JSON-LD • signed as a JWS or Linked Data Proofs • Supports different transports: • Embed in ID Token or Userinfo response • Return in (newly defined) VP Token alongside ID Token from authorization or token endpoint OpenID Connect for Verifiable Presentations enables presentation of W3C Verifiable Credentials using OpenID Connect. 2. OIDC4VP
- 14. Response – decoded ID Token OIDC4VP request–response example (SIOP, LD Proofs, VP Token) Request with `claims` parameter and DIF Presentation Exchange Response – VP Token containing Verifiable Presentation
- 15. DEMO Bringing it all together ...
- 16. SIOP v2 / OIDC4VPs Prototype • Implemented within IDUnion project • Team: Sebastian Bickerle, Paul Wenzel, Fabian Hauck, & Dr. Daniel Fett • Use Case: Login to NextCloud using Verifiable Credentials • Based on • Existing NextCloud OpenID Connect Plugin • lissi Wallet • Hyperledger Indy & Indy SDK
- 17. DEMO • On device: https://youtu.be/gDg2ma7TwWU • Cross device: https://youtu.be/hC3VQE-vMnQ
- 18. Details & Findings • SIOP instead of DIDComm • No separate connection establishment step required • On device: • Direct communication between verifier and wallet w/o cloud agent/network communication • Cross device: • Additional backend call from wallet to verifier (HTTPS POST) • QR Code pretty huge
- 19. Next Steps • SIOP v2 • Resolvable client ids (DIDs, Entity Statements) • OP Discovery • Security Analysis • OIDC4VP • Integration of presentation submissions • Additional Security Considerations • Gather Implementors Feedback • Claims Aggregation • Request by credential type • Proof of possession of key material (vs client authentication) • Use with other grant type than "code"
- 20. If you want to learn more
- 21. Backup
- 22. 3. Claims Aggregation - Under Development (merged with Credential Provider draft) Enables Holder to obtain Verifiable Credentials from the Issuer(s). 3. Claims Aggregation
- 23. Status and Topics being worked on - Adoption - Prototypes - Open Topics
- 24. 3 components of “SIOP” work Presentation 1. Self-Issued OpenID Provider model 2. SIOP can present claims to the RP as W3C Verifiable Presentations Issuance 3. SIOP get claims issued from the Claims Providers * 2 and 3 are applicable to the entire OpenID Connect Claims Provider 1 SIOP RP a b a b 1, 2 3 Claims Provider 2 ACPs IP
- 25. 1. Resilience against Sudden or Planned OP Unavailability (natural disasters, a planned business decision, etc.) 2. Authentication at the edge, in environments which may have reduced connectivity. 3. Sharing credentials from several issuers in one transaction 4. Aggregation of multiple personas under one Self-Issued OP, as an alternative to using multiple OPs for different RPs Use Cases
- 26. Base64URL encoded VP in a JWT format Request Response 2. OIDC4VP - A) Embedding an entire VP inside the ID Token (SIOP)
- 27. ID T oken and VP Token are bound via `nonce` ‘VP T oken’ contains an entire VP 2. OIDC4VP – B) Returning VP as a VP Token (code flow) Request Response – ID Token Response – VP Token
- 28. Format (JWT/JSON-LD) Way to present (ID Token/VP Token) Protocol (SIOP / usual OIDC) JWT Inside ID Token SIOP JWT VP Token SIOP JWT Inside ID Token Usual OIDC JWT VP Token Usual OIDC JSON-LD Inside ID Token SIOP JSON-LD VP Token SIOP JSON-LD Inside ID Token Usual OIDC JSON-LD VP Token Usual OIDC All variations of OIDC4VP